In 2015, President Obama signed an Executive Order (E.). 13691), to encourage and promote sharing of cybersecurity threat information within the private sector and between the private sector and government. Rapid information sharing is an essential element of effective cybersecurity, because it enables U.S. companies to work together to respond to threats, rather than operating alone. This Executive Order lays out a framework for expanded information sharing designed to help companies work together, and work with the federal government, to quickly identify and protect against cyber threats. DHS’ Mike Echols was assigned by the White House to develop the ISAO program.
One goal was to encouraging the private-sector to embrace cybersecurity collaboration. The E.O. was to encourage the development of Information Sharing and Analysis Organizations (ISAO). ISAOs would serve as focal points for cybersecurity information sharing and collaboration within the private sector and between the private sector and government. Information Sharing and Analysis Centers (ISACs) are already essential drivers of effective cybersecurity collaboration, and could constitute ISAOs under this new framework. To be clear, ISACs are ISAOs. E.O. 13691 expanded information sharing by encouraging the formation of communities that share information across a region or in response to a specific emerging cyber threat. An ISAO could be a not-for-profit community, a membership organization, or a single company facilitating sharing among its customers or partners.
The International Association of Certified ISAOs (IACI) is developing a common set of standards for information sharing organizations. IACI is a non-profit organization developing this baseline to enable ISAOs to quickly demonstrate their policies and security protocols to potential partners. This will make collaboration safer, faster, and easier, and ensure greater coordination within the private sector to respond to cyber threats.